CVE-2018-8040
MEDIUMApache Traffic Server <6.2.2, <7.1.3 - Info Disclosure
Title source: llmDescription
Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configured not to allow access. This affects Apache Traffic Server (ATS) versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/apache/trafficserver/pull/3926
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/cc7aa2ce1c6f4fe0c6bfef517763cdaad30ec7bcb0115b73f73f3c01%40%3Cusers.trafficserver.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/36b3df68fe7311965f6bc4630ca413d2aa99d8f1d53affda85ea70d7%40%3Cusers.trafficserver.apache.org%3E
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4282
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105181
Scores
CVSS v3
5.3
EPSS
0.0783
EPSS Percentile
92.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-668
Status
published
Products (2)
apache/traffic_server
6.0.0 - 6.2.2
debian/debian_linux
9.0
Published
Aug 29, 2018
Tracked Since
Feb 18, 2026